{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5341", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-29T22:45:18.013Z", "datePublished": "2025-06-05T11:15:06.223Z", "dateUpdated": "2026-04-08T16:48:39.419Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:39.419Z"}, "affected": [{"vendor": "wpmudev", "product": "Forminator Forms \u2013 Contact Form, Payment Form & Custom Form Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.44.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Forminator Forms \u2013 Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018id' and 'data-size\u2019 parameters in all versions up to, and including, 1.44.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Forminator <= 1.44.1 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via id and data-size Parameters", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/415bfddb-5223-439f-8a08-535f79631ff0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/forminator/tags/1.44.1/assets/forminator-ui/js/forminator-form.js#L985"}, {"url": "https://wordpress.org/plugins/forminator/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3306475"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Asaf Mozes"}], "timeline": [{"time": "2025-06-04T21:58:40.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-05T14:27:59.799058Z", "id": "CVE-2025-5341", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-05T14:28:14.441Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5341", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-05T14:27:59.799058Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-05T14:28:07.575Z"}}], "cna": {"title": "Forminator <= 1.44.1 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via id and data-size Parameters", "credits": [{"lang": "en", "type": "finder", "value": "Asaf Mozes"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "wpmudev", "product": "Forminator Forms \u2013 Contact Form, Payment Form & Custom Form Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.44.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-04T21:58:40.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/415bfddb-5223-439f-8a08-535f79631ff0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/forminator/tags/1.44.1/assets/forminator-ui/js/forminator-form.js#L985"}, {"url": "https://wordpress.org/plugins/forminator/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3306475"}], "descriptions": [{"lang": "en", "value": "The Forminator Forms \u2013 Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018id' and 'data-size\u2019 parameters in all versions up to, and including, 1.44.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:39.419Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5341", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:48:39.419Z", "dateReserved": "2025-05-29T22:45:18.013Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-05T11:15:06.223Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wpmudev:forminator_forms:*:*:*:*:free:wordpress:*:*", "matchCriteriaId": "1FF4AA5B-6585-4F9F-9DB8-C6077E1C0118", "versionEndExcluding": "1.44.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Forminator Forms \u2013 Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018id' and 'data-size\u2019 parameters in all versions up to, and including, 1.44.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Forminator Forms \u2013 Contact Form, Payment Form &amp; Custom Form Builder para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de los par\u00e1metros \"id\" y \"data-size\" en todas las versiones hasta la 1.44.1 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-5341", "lastModified": "2025-07-10T14:40:42.567", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-06-05T12:15:23.640", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/forminator/tags/1.44.1/assets/forminator-ui/js/forminator-form.js#L985"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3306475"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://wordpress.org/plugins/forminator/#developers"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/415bfddb-5223-439f-8a08-535f79631ff0?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T01:26:14.669709+00:00", "value": {"mitigation_remediation": ["Update the Forminator plugin to the latest supported version that patches the stored XSS flaw.", "Limit Contributor or higher roles to trusted users and consider revoking access for non\u2011essential accounts.", "Implement a Content Security Policy that restricts inline script execution to mitigate any residual or future injection attempts."], "summary": {"action": "Patch", "impact": "Stored DOM-based Cross-Site Scripting allowing authenticated contributors to inject arbitrary scripts"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Forminator Forms \u2013 Contact Form, Payment Form & Custom Form Builder plugin from WPMUDEV, specifically any released version up to and including 1.44.1. Users must verify that their installation does not include these vulnerable versions.", "description_and_impact": "The Forminator Forms plugin for WordPress is vulnerable to stored DOM-based XSS through the 'id' and 'data-size' parameters in versions up to and including 1.44.1. Insufficient sanitization and escaping permits an authenticated user with Contributor or higher access to embed malicious scripts that are executed on any user viewing the affected page. This flaw falls under CWE-79.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity, while the EPSS score of less than 1% suggests low current exploitation probability. The vulnerability is not listed in CISA\u2019s KEV catalog, further reducing immediate risk. Attackers require authenticated Contributor-level or higher access, and must submit malicious payloads via the vulnerable parameters, after which the script is stored and executed for subsequent visitors. Due to these constraints, the likely attack vector is internal exploitation by site contributors who can edit form content."}}}}, "created": "2026-04-22T01:30:05.236456+00:00", "updated": "2026-04-22T01:30:05.236472+00:00", "vendors": []}